What is the single greatest threat that your organization faces? SolarWinds-style attacks? APTs? The answer is not what many initially think and the reason is primarily based on the sensitive nature of the answer. Based on years of observations that span multiple industries, it is clear the single greatest threat that many organizations face is the dysfunction of its own management team. This is not meant to be cynical or comical, but point out the nature of a legitimate cybersecurity and data protection threat that is often manifested by the inability of weak, ineffective and/or incompetent management to (1) make a risk-based decision and (2) support that decision. I am joined by Ryan Bonner from DefCERT to shed light on this understanding of threats, how that impacts an organization’s security/compliance efforts and what can be done to remedy the situation. Show
This bold statement about an organization’s management team being its greatest threat may sound harsh, but it is a defendable position when you assess what natural and manmade threats are and how that relates to risks:
In practical terms, weak, ineffective and/or incompetent management practices are a manmade threat that exposes an organization to significant risk (see further down this article for a listing of these risks). The reason for this is risks and threats are directly tied to controls, so if management inaction or interference leads to (1) an absence of a required control or (2) a control deficiency, this means that the control execution has been negatively affected and this exposes the organization to those risks associated with the specific control deficiency.
Unlike an Advanced Persistent Threat (APT) from China, Russia or Iran, an organization’s internal management dysfunction is a “persistent threat” that should not be overlooked as part of a threat assessment process. What Is Driving The Need For Risk Management?Recent, high-profile hacking incidents have led to more regulatory pressure at the state, federal and international level for maintaining secure practices from both a cybersecurity and data protection (privacy) perspective. This has directly led to greater scrutiny of organizational practices from partners and clients. No one can manage risk if the concept of risk management is ethereal and ever-changing, so it is the role of the leadership team to:
When you look at the fundamental role of a “leader” it is to establish context and drive operations to meet the organization’s business plan. It is beyond managing resources and is more a question of character where the leader establishes a positive environment in which everyone thrives, while achieving targeted results. This concept of “management threat” has evolved from affecting individual organizations to an entire industry. Starting 1 January 2018, the Defense Industrial Base (DIB) was obligated to protect Controlled Unclassified Information (CUI) according to National Institute for Standards and Technology (NIST) SP 800-171. Due to the abysmal adoption of secure practices by the DIB to protect CUI, the US Department of Defense (DoD) was obligated to invent the Cybersecurity Maturity Model Certification (CMMC) to implement an independent, third-party assessment program. Fundamentally, CMMC is directly the result of management failure within the DIB to adopt secure practices and implement contractual obligations to protect its client’s data. Risk Blindness & Personal BiasIn the government contracting space, management often suffers from a kind of “risk blindness” stemming from the way risk is communicated in the supply chain. For decades, unclassified information was poorly categorized, marked and managed, while classified information was treated with reverence and highly-structured processes. With the US government’s focus on protecting regulated data (e.g., CUI) without clear definitions, this has created creates a scenario where contractors often lack the background information needed to understand and prioritize risk. Without a clear understanding of what needs protecting, managers within the DIB are often left with “gut feel” determinations (unfounded, qualitative risk analysis) and their own personal experience (subject to bias) to manage risk. Cognitive bias worsens the myopia associated with risk management by allowing management to drift towards mental structures that have adequately served their organization and its operations up to this point. This can include personal leanings such as:
These kinds of bias further ingrain emotionally-driven, qualitative analysis into the risk equation, meaning that risk is “downplayed” instead of evaluated and mitigated based on objective management practices. False Sense of Risk ManagementThere is clearly a fiduciary aspect to leadership and management roles, where decisions must be in the best interest in the organization, rather than act in their own interest. An example of this is a case where a “leadership team” consisting of a Chief Information Security Officer (CISO), Chief Information Officer (CIO) and Chief Financial Officer (CFO) refused to provide quantifiable criteria (e.g., risk thresholds) that are needed to assess risk as part of a formal risk management program. Theses quantifiable thresholds exist to help categorize an incident as low, moderate, high, severe or catastrophic so that the appropriate level of management would be involved in the assessment of and approval of risk management decisions. Management refused to take a stand and define thresholds, when directly asked for authoritative guidance that only their roles could provide. This management inaction directly made the organization’s risk management practices nebulous and unquantifiable. The result is a “paper tiger” risk management program that appears impressive, but is ineffectual and not capable of being operationalized. In situations like the one described above, where the overall approach to risk management is poorly defined, it creates an impediment to legitimate risk management practices, including the traditional 3 Lines of Defense (3LOD) model. 3LOD becomes useless and will create a false sense of risk management, since it incorrectly assumes a viable risk management program exists that clearly defines risk, who can manage it and what options exist for risk management. For those not familiar with the 3LOD model:
The traditional 3LOD model misses the need for “0LOD” or the genesis of the organization’s risk management program where the leadership team explicitly establishes and enforces the criteria needed to identify, manage and monitor risks. 1LOD, 2LOD and 3LOD are all negatively impacted by unclear risk management guidance from an organization’s leadership team. Examples of Management Dysfunction Fear is a common denominator for these observed management failures within risk management:
Risks Associated With Weak, Ineffective and/or Incompetent Management When you look at the possible risks from the threat associated with weak, ineffective and/or incompetent, it clearly illustrates this as a significant threat (courtesy of the SCF’s Security & Privacy Risk Management Model (SP-RMM)):
What Can Be Done To Address This Threat? Organizations need to take the concept of management being a potential threat seriously by:
For organizations, it may mean removing unfit individuals from management roles by transferring them to a new role or terminating their employment, since that individual is a liability to the organization. Employees and contractors need to understand their responsibilities and options:
As an employee, if those legitimate efforts fail to work, the organization may be a lost cause and it is time to self-terminate your employment to find work at an organization that both appreciates your skill set and takes risk management seriously. About The Authors If you have any questions about this, please feel free to reach out. Tom Cornelius is the Senior Partner at ComplianceForge, an industry leader in cybersecurity and privacy documentation. He is also the founder of the Secure Controls Framework (SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements. Ryan Bonner is the CEO of DefCERT, a firm providing DFARS, NIST, and CMMC consulting services for government contractors. In addition to private consulting engagements: DefCERT works extensively with NIST Manufacturing Extension Partnership programs, economic development organizations, and managed IT service providers. What's the greatest threat to federal information systems?The greatest threats to federal information systems are internal - from people who have working knowledge of and access to their organization's computer resources.
What is the #1 threat to information security?1. Insider threats. An insider threat occurs when individuals close to an organization who have authorized access to its network intentionally or unintentionally misuse that access to negatively affect the organization's critical data or systems.
What is the biggest vulnerability to information security?The biggest security vulnerability in any organization is its own employees. Whether it's the result of intentional malfeasance or an accident, most data breaches can be traced back to a person within the organization that was breached. For example, employees may abuse their access privileges for personal gain.
Who is the greatest threat to an organization's security Why?While untrained employees could certainly ignore security policies, the greatest risk to your organization is an unexpected one. Research has proven that your company's CEO, as well as other C-suite employees, hold one of the greatest risks for your business' security.
|